Forget Snowden: What have we learned about the NSA?

Opinion It has now been a month since Edward Snowden outed himself as the NSA whistleblower who has exposed much about the level of government and corporate surveillance in our society. The revelations aren't stopping, and neither should the debate, but it's getting sidelined by distractions of character not content.

Snowden is presumably still loitering in the transit lounge of Moscow's Sheremetyevo International Airport, trying to find a refuge where he can live as a normal human being without the fear of being subject to the same treatment as Bradley Manning. But far too much attention has been focused on the man himself, rather than the practices he has exposed.

It's always tempting to concentrate on personalities as opposed to the back story. We saw this with WikiLeaks – within weeks of the US cables release the story had shifted from the content of the information to making the story about Julian Assange. You hear little talk about the substance of Bradley Manning's leaks these days – it's all about the silver-haired Aussie.

This is unfortunate, since Assange gives every impression of being a vainglorious martyr with very dodgy attitudes towards women and an overinflated sense of self importance. Snowden however seems more concerned with making the story less about him and more about the facts of the case.

As such, let's look at the facts of what we've learned about our surveillance society in the last month and less at the person that brought the news. It's always tempting to focus on the great and powerful Oz and not at the backstory that, when you consider it, is far more important than any personal petty considerations.

You are not paranoid

At last year's Black Hat hacking conference in Las Vegas this hack asked a former government investigator if the US was spying on US citizens. He seemed enraged by the idea that the media were trying to make out that the US government would spy on its own citizens and any such suggestion was paranoia in action.

Maybe he believed it, maybe not, but the last month has shown that either he was dangerously out of the loop or being willfully misleading. He wasn't alone.

At congressional hearings in March the US director of national intelligence James Clapper was asked directly by Senator Ron Wyden (D-OR) if the NSA was collecting data on millions of Americans – a question Wyden had cleared with Clapper 24 hours beforehand. Clapper replied "No," which he later said depended on how you interpreted the word "collect," after Snowden started releasing documents.

The news broke for people in the US when Snowden released documents showing that Verizon Business was routinely handling over full user metadata to the NSA thanks to a secret court order. This includes who is called, for how long, and where you are when doing so, and it's all legal under section 215 of the Patriot Act (according to the government) so long as the content of the calls isn't directly monitored.

The knock-on effect of the disclosure was that it became clear that the NSA wasn't just targeting Verizon Business – AT&T were on a regular list of companies who operate under a rolling set of secret court-orders to hand over customer records. T-Mobile and Verizon Wireless appear not to be affected due to partial foreign ownership.

After the Verizon court documents Snowden showed poorly designed PowerPoint slides about PRISM; a system that is designed to harvest the data from Google, Microsoft, Yahoo! and others, to give the NSA access to users of corporate servers. The details of the system are still in doubt but from what we know some of the biggest names in IT were handing over user's data for storage and analysis.

This caused a certain amount of problems of the companies involved in PRISM. Microsoft, Apple, and Google (among others) all released very carefully worded statements denying that they provide the NSA direct access to their servers. However, Microsoft and Google have since asked to be released from gagging orders under which such surveillance was carried out.

They had good reason to. Cloud storage and service providers based in the US reported taking an immediate hit from the affair. "We're toxic in Europe," one vendor told El Reg. As it turns out, he needn't have worried too much; everyone is in on the game.

On Thursday Microsoft's problems got even bigger when Snowden released documents showing quite how closely Redmond is working with the NSA to slurp customer's data. Redmond has installed a backdoor into Outlook encryption for the Feds, Skydrive is wide open to the NSA and Skype calls are increasingly under scrutiny. Office 365 isn't looking as attractive as it was.

The global perspective

So far Snowden's releases had only covered US traffic, but after leaving the country he started to spill the beans about the overseas operations of the NSA and others.

After Snowden fled to Hong Kong he told the Chinese authorities about the efforts of the NSA to hack not just Middle Kingdom military servers, but also civilian networks such as mobile providers. There was a listening station not too far from his hotel room he said.

The usual unnamed government sources have accused Snowden of passing secrets to the Chinese, and other foreign governments, either with or without Snowden's consent. He has emphatically denied this, saying he has not passed on data and the NSA files are safe.

While this was interesting news for the locals, the disclosure was particularly embarrassing for the US government since it has been making increasingly public noises about China hacking US government and corporate servers. The topic was high on the agenda for the first meeting between President Obama and Chinese premier Xi Jinping.

On June 21 came news that when it comes to surveillance then you can't beat the British bulldog spirit. Not only is Government Communications Headquarters (GCHQ) collecting data indiscriminately on UK telecoms traffic via the Tempora program, but taps have been built into fiber optic cables that form the backbone of data traffic across the Atlantic and data from these connections is stored as well.

Not to say that the US wasn't holding its end up. Documents released by Snowden show the US targeted 38 embassies and missions for eavesdropping, using communications taps or old-fashions wall-installed audio bugs. They included those of major allies like France, Greece and Japan, and of the European Union mission in New York.

Snowden also took part in an email interview with Der Speigel, in which he pointed out that other European countries also work hand in glove with the NSA to swap intelligence information. He also claimed that the NSA and Israel had collaborated on the creation of the Stuxnet virus, which was used to damage Iranian nuclear infrastructure.

How a classic cock-up helped Snowden avoid extradition thus far

Despite the apparent resources of the NSA, Snowden was able to leave Hong Kong on a flight to Russia. The documents cancelling his passport issued by the US got his middle name wrong and the Chinese authorities were able to legitimately say they had no reason to hold him.

Since his arrival he's presumed somewhere in the transit section of the airport he arrived at, which leaves him in diplomatic limbo as his passport has now been successfully cancelled. And there he is staying for the time being, trying to find a country that will take him and resist diplomatic pressure to keep him off US soil.

Following this latest incarceration we've had a string of exclusive stories that haven't been officially confirmed as coming from Snowden, but nevertheless bear all the hallmarks of material he could have provided. But we don’t know because there has been no official investigation into the veracity of the claims.

President Obama has said that the whole thing was no big deal and is a matter for the law courts. The damage has been done and the leaks would stir a "healthy debate" in the security community on the issues of both the privacy of US citizens and the efficiency, or lack thereof, in the intelligence agency's vetting procedures.

As for Snowden, the US president (and former president of the Harvard Law Review) said that the extradition process was "not exceptional," but he could understand why it made a good story. He wouldn’t "be scrambling jets to get a 29-year-old hacker," he said.

As it turns out he didn’t need to. Six days later the jet of Bolivian president Evo Morales was denied access to the airspace of France, Spain, and Portugal, and was forced to land in Vienna after a rumor that Snowden was on board. After a visual inspection the plane was allowed to leave.

One wonders if the Bolivian government had tried to force Air Force One carrying President Obama down for inspection on similar pretexts during a visit to South America it would have been seen as "no big deal," by the US military.

Theater of the absurd

These Snowden shenanigans make for great copy and are very distracting, but at some point we're going to have to deal with the issue of how far we are willing to let government agencies monitor our online life and under what circumstances.

Preliminary legal suits and formal objections have been filed and a blizzard of Freedom of Information requests are going out over the issues Snowden has highlighted. But they are running into the traditional Kafkaesque conundrum: The laws under discussion are secret, therefore we cannot discuss them.

Meanwhile the Snowden carnival rattles on, with pundits earnestly debating whether or not he is a traitor, endless speculation about which country will offer him asylum, and endless little snippets about his past and associates that might be used to divine an insight into his character.

Personally I couldn't care less if he likes to relax at the end of the day in a bath of mint-scented jelly balancing a beach ball on his head while listening to the collected albums of David Hasselhoff played backwards (a considerable improvement some might say.) What matters is the veracity of what he's saying.

Some kind of independent investigation into what exactly is going on, in the form of a repeat of the post-Watergate Church Committee hearings and at a higher international level, is needed. This isn’t just about the US, there's a lot more people on the planet and we are all affected by this.

In 1948 the UN adopted the Universal Declaration of Human Rights and a child born in that year would be 65 today; the retirement age of many 'socialist' states. The grandchildren of that generation are going to need similar principles that protect the individual from the increasing ability to map put someone's life online and off.

But this is also a national security issue. For the first time the DEFCON hacking conference is banning government officials because of "recent events." The very people needed to defend the US against hacking attacks are now spurning the government because of its actions.

The NSA has some very talented people on the payroll, but some of the smartest minds in the business are never going to join. Dan Kaminsky looks highly uncomfortable in a suit and there's no chance Moxie Marlinspike is going to go corporate and help the government do what it wants.

A lot of the best people in the security industry take privacy very seriously, because they know what the stakes are. If the US government really wants to bolster its hacking defenses it needs these people on board and they're not going to do so if the government behaves like a bandit and smears or incarcerates those with whom it is annoyed.

Whether it be for human rights or national security, this situation needs to be resolved. Digital rights need the same debate as human ones. Our society needs to decide where it draws the line between privacy and politics, and it needs to do so in a calm and measured way.

So forget about Snowden as a character and "Follow the money," as Deep Throat put it. Anything else is a distraction. ®